Now the browser, which Apple CEO Steve Jobs once called the "most
innovative browser in the world and the most powerful browser in the
world", has had more bad news. At the CanSecWest Show,
an annual security conference, it was found that the Safari
browser was surprisingly insecure, allowing successful attacks on Mac
computers.

CanSecWest sponsors an annual hacking contest, which seeks to
recognize vulnerabilities and give a comparative analysis of OS security.
A Mac, Vista machine, and Ubuntu box survived the first round, which only
allowed pre-authentication attacks – a successful attack would have yielded a
$20,000 prize. However, on the second day, the flood gates were opened
and hackers were allowed to use default-installed client applications.

The Mac fell within minutes, hijacked by security researcher
Charlie Miller. Miller compromised the computer through security flaws in
the new Safari 3.1 browser, which he declined to make public. For his
takeover via the new vulnerability, Miller netted a sweet prize of
$10,000. Surprisingly, the hackers were unable to gain control of the
Vista or Ubuntu machines that day.

On the third day, hackers were allowed to exploit popular
third-party applications. Hackers found the Vista machine surprisingly
hard to crack in what they thought would be an "easy pickings"
day. The improved security is likely owing largely to SP1, perhaps
because of NX support for heap memory. In the end it was taken down by a
cross-platform Flash Player attack. The Ubuntu machine survived the day.

Some point that the Mac and others may be even more vulnerable
than the show indicates as some have noted that a pre-authentication
vulnerability might command a price of $50,000 or more elsewhere, making an
exploit at the show unprofitable. According to eWeek's security
analysts, "Safari is prone to a remote code-execution vulnerability
because it fails to adequately handle regular expressions with large, nested
repetition counts. Inaccurate compilation lengths are calculated, and an
overflow results."

Miller didn't even have to use new vulnerabilities also known
for Safari. The first is a simple overflow attack using zip files.
The second attack allows injection of content in a window belonging to a
trusted site.

A recent independent analysis confirmed that
Apple
patches its vulnerabilities slower than Microsoft. The analysis
followed a controversial Microsoft report by Jeff Jones, known
for trashing Firefox for its bugs. The report indicated that 36
vulnerabilities in Vista were fixed over a total of nine patching events, and
30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities
were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.

Apple's patches last year indicated Apple's slower than
acceptable patching pace. It included patches for four vulnerabilities
known since 2006 and two known since 2005. The oldest of these, a vulnerability
in Apache, had a fix released by Apache in 2005.

Security experts point out that despite Apple's poor security,
its machines remain less attacked than Windows machines. Many believe
this is simply a matter of market share. With Mac
sales on the rise, there may soon be a large increase in Apple-targeted malware
and takeovers with the Safari browsing taking the brunt of the attacks.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Except Safari is worth the time and resources to continue. If Apple doesn't have Safari, we wouldn't have:1) WebKit2) Safari for Mac (since IE for Mac was discontinued)3) Safari for iPhone4) Safari for iPod touch5) Nokia based WebKit browser

Safari and WebKit has done a lot for mobile browsing and lightweight browsing. If FireFox could take marketshare away from IE, there is no reason to think Safari couldn't as well; competition means better browsers for everyone, so as long as Apple can afford it, I think Safari for Windows is a great idea, if for no other reason that Microsoft and FireFox cannot "rest on their laurels".

Wow... you have just named 5 things I couldnt care any less about, have never used and likely never will.

Agreed though in theory. Competition is better for all consumers. I hope Apple does well, with Safari, Mac's, iPhone, etc. Especially Mac. If they start selling more it will force the PC side to innovate faster and/or lower prices.

You're not supposed to care about them. I didn't write that list of things that you should care about, it was a list of things that Apple cares about.

There is no IE, so Apple has to use Safari, on Mac. They likewise ported Safari to the iPhone and iPod touch in order to have the "best" web experience on those platforms; again, they don't need you to care.

WebKit is important because of it's contribution to competition and diversity, since it is the foundation for Nokia's N60 browser and Android's web browser.

Which is where my last point concludes; WebKit and Safari is important for competition. It is already the most used mobile web browser over pocket IE and FireFox. It's pushing Microsoft and Mozilla to try harder on portables, and that is good for us.

I will re-iterate my point. If Android takes off, so too will WebKit because Android uses WebKit.

Which means, in the end, increasing competition against Microsoft and FireFox; as long as people use WebKit, then developers will fix WebKit, and therefore Apple will see positive returns on WebKit, further encouraging Apple to continue to develop and ship Safari.

The point of this thread was someone said Apple should can Safari, and the existence of Android, N60 browser, the iPhone, the iPod touch, and the Mac all argue against canning Safari.

I agree with one thing: since Safari was introduced in the browser wars, that war and competition got incredibly hot and even Opera and Apple got to pass Acid 3 quite quickly (even if dev builds).

The rest: Safari has a chance and niche for Mac-ers running Windows, IE haters that will go Safari just because the like it or think Apple is cool, and a little amount of random people but, the game already has it's strong players AND Safari ain't really better than those.

Those 5 points you mention are not medium-weights and don't make for anything outside themselves to be honest.